Skip to main content

Microsoft CVE-2026-34506

| EUVDEUVD-2026-17391 LOW
Incorrect Authorization (CWE-863)
2026-03-31 VulnCheck GHSA-xg59-f45v-9r9j
2.3
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.3 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
EUVD ID Assigned
Mar 31, 2026 - 11:45 euvd
EUVD-2026-17391
Analysis Generated
Mar 31, 2026 - 11:45 vuln.today
Patch released
Mar 31, 2026 - 11:45 nvd
Patch available
CVE Published
Mar 31, 2026 - 11:17 nvd
LOW 2.3

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on openclaw (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 2026.3.8.

DescriptionCVE.org

OpenClaw before 2026.3.8 contains a sender allowlist bypass vulnerability in its Microsoft Teams plugin that allows unauthorized senders to bypass intended authorization checks. When a team/channel route allowlist is configured with an empty groupAllowFrom parameter, the message handler synthesizes wildcard sender authorization, permitting any sender in the matched team/channel to trigger replies in allowlisted Teams routes.

AnalysisAI

Authorization bypass in OpenClaw Microsoft Teams plugin (versions before 2026.3.8) permits unauthenticated attackers to circumvent sender allowlists when team/channel routes are configured with empty groupAllowFrom parameters. Remote attackers can exploit this network-accessible flaw with low complexity to trigger unauthorized message replies and access sensitive information in allowlisted Teams routes. EPSS and KEV data not available for this recent CVE; no public exploit identified at time of analysis.

Technical ContextAI

OpenClaw is a messaging automation platform with integrations for collaboration tools including Microsoft Teams. The vulnerability resides in the Teams plugin's message routing logic, specifically in how it validates authorized message senders against configured allowlists. The flaw is classified as CWE-863 (Incorrect Authorization), where the authorization check implementation contains a critical logical error. When administrators configure a team/channel route allowlist but leave the groupAllowFrom parameter empty (likely intending to restrict access), the handler incorrectly synthesizes wildcard authorization rules. This causes the system to grant message reply privileges to any sender within the matched team/channel scope, completely negating the intended access controls. The affected component is identified by CPE cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*, with all versions prior to 2026.3.8 vulnerable. This represents a classic authorization logic flaw where insufficient validation of empty configuration values leads to overly permissive security policies.

RemediationAI

Organizations should immediately upgrade to OpenClaw version 2026.3.8 or later, which contains the fix for the authorization bypass vulnerability. The vendor-released patch is available through the GitHub commit at https://github.com/openclaw/openclaw/commit/88aee9161e0e6d32e810a25711e32a808a1777b2, which corrects the message handler logic to properly enforce sender allowlists even when groupAllowFrom parameters are empty. As an interim workaround for environments unable to upgrade immediately, administrators should audit all Microsoft Teams plugin route allowlist configurations to ensure groupAllowFrom parameters are explicitly populated with authorized sender groups rather than left empty. Organizations not using the Teams plugin or team/channel route allowlists are not affected and do not require immediate action. Refer to the official GitHub security advisory at https://github.com/openclaw/openclaw/security/advisories/GHSA-g7cr-9h7q-4qxq for comprehensive remediation guidance and configuration best practices.

Share

CVE-2026-34506 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy